Buffer overflow in sc_hsm_compute_signature() in pkcs11-tool while signing data

[thokon00]

Expected behaviour

pkcs11-tool should not crash. It should create an error message because it can not sign data which is greater then 261 bytes in length.

Actual behaviour

pkcs11-tool crashes because of a buffer overflow in card-sm-hsm.c. The function lacks a check of the datalen variable. Under certain conditions the datalen exceeds the SC_MAX_APDU_BUFFER_SIZE which causes memcpy to exceed limit of the buffer.

Steps to reproduce

1. create an EC key pair on a SmartCard-HSM by issuing the command:
   pkcs11-tool --login --pin 123456 --keypairgen --key-type EC:secp256k1 --id 1 --label ECkey
2. try to sign e.g. the file version.m4 (468 bytes) from the top level of the OpenSC tree by issuing the command:
   pkcs11-tool --pin 123456 --sign --input version.m4 --id 1

pkcs11-tool then crashes emitting the log output below.

Logs

Using slot 0 with a present token (0x0)
Using signature algorithm ECDSA
*** buffer overflow detected ***: pkcs11-tool terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f53225f838f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f532268fc9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7f532268eb60]
/data/coins/OpenSC/target/lib/libopensc.so.4(+0xc842f)[0x7f5322e3442f]
/data/coins/OpenSC/target/lib/libopensc.so.4(sc_compute_signature+0x75)[0x7f5322d90465]
/data/coins/OpenSC/target/lib/libopensc.so.4(+0x4245e)[0x7f5322dae45e]
/data/coins/OpenSC/target/lib/libopensc.so.4(sc_pkcs15_compute_signature+0x4ff)[0x7f5322daf3bf]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x176f9)[0x7f53221516f9]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x104ff)[0x7f532214a4ff]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x11ce9)[0x7f532214bce9]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(C_Sign+0x13c)[0x7f53221470bc]
pkcs11-tool[0x408378]
pkcs11-tool[0x40576f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f53225a6ec5]